October 2004 - Posts
By Jesper Johansson
Hacking: Fight Back: How A Criminal Might Infiltrate Your Network -- TechNet Magazine, Winter 2005
One of the great mysteries in security management is the modus operandi of criminal hackers. If you don't know how they can attack you, how can you protect yourself from them? Prepare to be enlightened.
From Chris Sells' place...
Marquee de Sells: Chris's insight outlet
Mark Levison of Databeacon talks about the first commercial-grade .NET No-Touch Deployment application to be deployed over the internet (at least, as far as he and I know). I asked Mark what his motivations were for using a smart client instead of a web app. These were his reasons...
A few days ago Julie Lerman sent me a copy of BLInk to try out. BLInk is ink-enabled blogging software that Julie wrote - perfect for Tablet PC users.
Bottom line: it's cool stuff.
It has all the text editing features one would expect - cut, copy, paste, bold, underline, italics, change font face, size, color, strikethrough, etc. I can't do bullets from design mode, but it's easy to switch to HTML view and add them.
It supports the Blogger and MetaBlog APIs. (It's a shame the API doesn't support the Title & Category attributes. I use dasBlog so it means I have to jump to my blog to set those fields manually. BlogJet somehow gets around this issue - it has a special "dasBlog" setting. This is #1 on my wish list for BLInk.)
Update: Well, if I used the right API I wouldn't have to worry about things like Titles and Categories not appearing. I had mistakenly chosen the Blogger API instead of MetaBlog to work with my dasBlog blog. Heh. Thanks for getting me pointed in the right direction Julie! : )
My spelling is absolutely horrible, so a spell checker is critical to me. I create the text of my posts in Microsoft Word then copy / paste into Notepad (to remove all the Word markup, then copy / paste into BLInk. It would be nice not to have to take the extra steps, but I REALLY need spell checking. This is #2 on my wish list for BLInk.
I really like the drawing surface that automatically creates an image and plugs it into the entry. When you post to your blog the editor automatically posts the picture to your server and wires up the link. I REALLY like that. I have a couple of posts that I'm going to do (just haven't taken the time to do them yet) that will take advantage of this feature. This is a HOME RUN for me.
It's a work in progress, but BLInk is definitely headed in the right direction.
Disclaimer
The sessions at the Applied XML DevCon come in two flavors: theory and applied. Sometimes the theory sessions devolve into trash talk, putting down someone else's theories - with the other person sitting in the room and making comments back to the speaker from the audience. This year's conference was a bit more tame in that regard (compared to last year's), but the interaction between the speaker and audience is quite dynamic and encouraged. It's very different from a PDC or TechEd, and it makes for a very lively, entertaining, and educational conference.
The "Applied" sessions can be hit or miss (mostly "hit"), depending on who is doing the presentation (the person's speaking skills) and the topic. It's very interesting to see how people and companies have used the emerging XML and Web Services standards to get real work done and solve real world problems. Two "applied" talks from this year's conference especially stood out.
Scott Hanselman and Patrick Cauldwell (both of Corillian) did an excellent job of presenting their framework (at the heart of Corillian's banking software), explaining the rationale behind their design decisions. It was easy to tell they had put quite of bit of thought into their system and its architecture.
Whit Kemmy (Department of Defense) gave the best presentation of this year's conference. He had pictures of submarines and missiles, which were like porn to a bunch of nerds. But beyond the pictures, the systems he described and the innovative way they have used XML were very fascinating. They work with extremely rigorous constraints and have to build and understand their systems from the ground up. They wrote their own operating system, compiler, created their own keyboards and displays. They have to intimately know every detail of their systems. And they want the systems to be very easy for a 19 year old testosterone driven soldier to operate. No "oops" are allowed when you're working with nuclear weapons.
From James Vastbinder's blog.
New MS Emerging Business site launched
I am very excited about the new home for Emerging Business on microsoft.com. This is the new home for information answering the following questions, which I get all the time:
- How can MS help me get funded?
- Can MS fund my startup?
- Would MS like to buy my IP/product/company?
- How do I connect with Microsoft since I'm just starting my company or new idea?
All these are great questions and the ISV partner program is there to answer these questions and more. I'm just glad we now have a dedicated externally focused portal to fulfill this need.
It's along the same lines as what Paul Murphy was talking about the other day: A personal story of business - now is the time.
I just received this e-mail a bit ago.
Dear PayPal valued member,
Due to concerns, for the safety and integrity of the PayPal
community we have issued this warning message.
It has come to our attention that your account information needs
to be updated due to inactive accounts, frauds and spoof reports.
If you could please take 5-10 minutes out of your online experience and renew
your records you will not run into any future problems with the online service.
However, failure to update your records will result in account deletation.
This notification expires on 11/01/2004.
Once you have updated your account records your PayPal will not be
interrupted and will continue as normal.
Please follow the link below
and renew your account information.
https://www.paypal.com/cgi-bin/webscr?cmd=login-run
PayPal Service Department
But, the link really goes to here: http://www.globalamericanline.com/register/wf/index.htm, not to PayPal (big surprise, right?)
They want me to enter my PayPal ID and Password. Heh. Assholes!
I looked up the domain registration information for GlobalAmericanLine.com. It's registered to:
Domain name: GLOBALAMERICANLINE.COM
Registrant Contact:
TritonNetworks
Khalil Qureshi (khalil_qureshi@yahoo.com)
201-784-3844
Fax: 208-723-9153
165
County Rd
Tenafly, NJ 07670
Khalil, are you trying to rip me off?!?
Disclaimer
Coming in December, the SQL Server 2005 Webcast series. Take a look!
SQL Server Developer Center:
Get a sneak peak at what Microsoft SQL Server 2005 Beta 2 has in store for the future database development. SQL Server 2005 offers a new paradigm for database development that integrates SQL Server and the CLR to provide several major benefits including enhanced programming mode, enhanced safety and security, user defined types and aggregates, and a common development environment, where database development is integrated into the Microsoft Visual Studio 2005 development environment.
This is my "Hello world" entry from BLInk.
Here are some of my favorite quotes I captured during the XML DevCon.
Tim Ewald
WS-Hope
Completely changed his slides from his original submission a couple of weeks ago.
XML over HTTP is low cost, great benefit.
[Tim just walked up the aisle and almost punched me in the face as he made a gesture. I would have been so honored.]
Tools can be changed. They can be enhanced much more easily than the underlying technologies. Today the tools to manipulate XML are crude.
The 3 Faces of Web Services (It depends on who you ask...)
Web services are defined as a number of different things, depending on who you ask. It depends on their frame of reference - how do they use it? what problem are they trying to solve? It's all about cost and benefit.
- Soap-centric face
- WSDL-centric face
- XML over HTTP face
"Son, you should always make it easy for people to pay you."
"If your customers want to work with you using XML over HTTP, then great, go with it."
"Easy is good because it makes it easy for people to pay you."
"My brother can build a house with 2 tools."
Where are the semantics? (What do you mean? What do I mean?)
At the action URI, message, endpoint, child?
Having the semantics in the message make sense. Putting it in the port type requires a bit more thinking.
Contract First! (Toolkit is an implementation detail)
- Tools help with: Codegen, communication, validation
- One of the tenants of SOA: we share contracts, not type [Tim said this backwards at first, and Stuart's face almost turned inside out.]
- Sample data is great, but having schema to define the edges of the problem space is really helpful
Easy access to the wire (Only pay for what you need)
- XML over HTTP is easy to consume - very low level, not a ton of overhead
- The tools for consuming SOAP are not the best in the world and sometimes make it more difficult to use / consume.
- With many tools there is cost with low benefit, depending on what you need to do
Versioning (Description is in the eye of the beholder)
- if you do code first, with today's tools you only get a 1:1 mapping with a contract
- if you do contract first, you could have multiple tools (code) that work with a given contract
- versioning allows for flexibility, scalability, etc.
[Wow, Tim's talk went by very fast. He's such an effortless speaker. He's fun to listen to.]
Interoperability (A floor, a ceiling, four walls, and no doors)
- there are tools that don't support choice
- there need to be some constraints - but no doors so people can get in and out
- but it's difficult to keep moving forward as you lock things down... "sorry, it's on the wrong side of the floor or ceiling, so you can't do that."
- the problems are in the code that translates (maps) from schema to objects
Hope springs eternal (We're sooooo close)
Disclaimer
...And I thought everyone was just talking about a new way to catch fish.
Rory Blyth - Neopoleon.com
Podcasting is a means of syndicating binary content - that's all!
Whether that content is a movie, a song, a radio program, or an image is immaterial. When you truly take advantage of Podcasting, you will be delivering content that would not work as text.
A song isn't just lyrics. It would be easy enough for me to post the lyrics to my songs, but without the context of the music, the lyrics are almost meaningless.
You can't read music, movies, or talk shows.
A talk show can be transcribed, but think about all the successful ones you've ever enjoyed. If it were just about the information, then we could replace David Letterman with Tom Brokaw and expect it to work.
Keith Brown, pluralsight
Top 10 security tips for web service developers
[The talk hasn't even started yet I'm already getting paranoid again.]
Chris Sells: "I hate security. (Just run as admin.) Yet I always listen when Keith speaks."
Being the security guy is hard. You see a new feature, I see a new exploit.
Poll: who do you guys think is responsible for making applications secure?
Microsoft
We all are
Network admins don't trust developers. That's why they put all these firewalls in our way. That's why we're here talking about XML - it goes through the one open port that they've left us.
Tip 1: Less is more
- Code Access Security is difficult to understand and administer - it is not an example of "less is more"
- Less surface area
- Open ports
- Minimum functionality required to meet the needs
- Run with least privilege (as little as possible to get the job done) You should not run as admin.
- Less custom security code (you want tight integration with your platform - you don't want to have to write it yourself)
- Less secrets
Tip 2: New is often not better
- The latest, greatest security scheme is not always the best
- [However,] there are certain places where you do need the WS-Security stack
- Same for cryptographic algorithms
Tip 3: Trust no input
- Cookie, headers, URL, QueryString, data
- Always assume that it's bad (evil)
- Always validate input
- 2 strategies: 1) filter the data for only what you expect; 2) sandbox the input
- Keep data in the data channel
Data channel example: parameters to a query - you don't want to dynamically concat the input with the execute statement text
Control channel example: a command line, the execute statement, the first argument in a printf() statement
Tip 4: You can't authenticate remote software
- Whatever you do on the client is to make the client user experience better; but, it does not give you security - you need to validate the data on both ends, and at the very least, on the server side
- Don't rely on strong names.
Tip 5: What your program knows, an attacker can discover
- Don't store secrets in your application
- Salt + hash works well
- Think of encryption as a secret "transfer" mechanism - it doesn't eliminate the need for secrets, but it does help make discovery more difficult. (For instance, move the secret to a different box from your program.)
- There's something to say about slowing down an attack
- Book: "Secrets and Lies" - Protection, detection, and reaction countermeasures
- We'll never get 100% protection
Tip 6: Understand trust
Tip 7: Wetware is unreliable
- Wetware: humans in the system
- UserName Token
Tip 8: You probably need a longer key
- The minimum you should be using now is a 2K key
- 1024 bit keys are pretty much breakable
- Reasonable length for a symmetric key: 256
Tip 9: Availability is the third pillar
- Confidentiality, Integrity and Availability
- Some people consider availability a core pillar of security. It doesn't matter why the application is not there (whether it's been brought down due to a hacker or due to bad programming) if it's down, it's not working right. [Or something like that.]
- Making sure the application is there when you really need it
- Use instrumentation - such as performance counters, write to event logs
Tip 10: Find the weakest link
- Use THREAT modeling
- "Threat modeling" from MS Press (just came out)
Note: I may have made up some (much?) (most?) of this entry.
Disclaimer
Sam Ruby, IBMATOM in depth: XML is an attractive nuisance Definition: An attractive nuisance is any inherently hazardous object or condition of property that can be expected to attract children to investigate or play. (http://insurance.cch.com/rupps/attractive-nuisance-doctrine.htm) XML is an attractive nuisance. You need to put up a fence around it to make it safe. It looks like fun, it looks safe, it looks approachable, but you need to be careful. Lowest level: Unicode Take a look at http://msdn2.microsoft.com for a Unicode error. “Some documentation doesn’t have this page-specific rating link” [Update: this error has already been corrected.] Smart quotes in an RSS feed will break some aggregators. [Like I’m using now since I’m using Word as my editor and just copying / pasting into DasBlog.] Another level up: URIs Sam is scared as hell. He just said so. I don’t know why he’s scared. He’s too smart for me and I don’t understand what he’s talking about right now. But he’s scared. Should I be scared? I don’t think so, but it may be just because I’m ignorant. I need to read someone else’s blog to see what he’s really talking about. His talk seems very esoteric. But it’s probably important. Another level up: XML Ruby’s Postulate:“The accuracy of metadata is inversely proportional to the square of the distance between the data and the metadata.” He’s still talking, and I’m now starting to get scared. He just said he has 131 slides in his slide deck. I think it’s time for a bathroom break. (Or maybe just a mental break.) He can talk fast, too. Did I say he is real smart? SummaryComparing characters and URIs it is surprisingly more difficult and important that you might otherwise imagine (think: security holes) [Bottom line: all this stuff is just a house of cards. RSS sucks. ATOM is a solid foundation on which to build. People laugh when their RSS aggregator shows goofy stuff. But when you want to use this stuff for business processes, it begins to really matter.]
Who's blogging this year's XML DevCon?
Me
Rory
Scott Hanselman
Jay Kimble
Rebecca Dias
Aaron Hockley
Don Box
Shawn Morrissey
Robert Hurlbut
John Gossman
I'll update the list as I discover more people who are blogging the conference.
Update: Here's the unofficial list (but way more official than mine) from Chris Sells.
Curious about the different languages available for the .NET Framework?
There are quite a few, and this site has a pretty long list... 42 and counting. (And that's not counting each vendor's version of a language as a single instance. For example, I've counted COBOL as 1 language even though there are 2 vendors - Fujitsu and Micro Focus - shipping a version).
http://www.dotnetlanguages.net/DNL/Resources.aspx
Disclaimer
More Posts
Next page »